Re: Is my home computer at risk knowing that nmap says...
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Sun, 28 May 2006 13:39:33 -0500
On 28 May 2006, in the Usenet newsgroup comp.os.linux.security, in article
<1148807608.057988.272630@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, GM wrote:
What ? 1659 open ports ? Sure looks to me as if the firewall went down.
Not only the firewall, but everything else - yeah, that would not be good.
Also, as for services, this computer is mailing me the running services,
which did not change either as I can read
netstat --inet -a | grep LISTEN | awk '{printf ("%s %d %d %s %s
%s\n",$1,$2,$3,$4,$5,$6)}'
OK - you know what you are doing. That helps tremendously.
Yes, I know this is to be taken with a BIG grain of salt if the system
has ever been compromised.
Do you really need all those services running? Yes, I'd hope they are
restricted by a firewall or libwrap/tcp_wrappers, but just the same...
And well, if the firewall is down, well then I can maybe ssh to my system
as nmap report to me:
22/tcp open ssh
But I can't:
ssh xxx.xxx.xxx.xxx
ssh_exchange_identification: read: Connection reset by peer
/usr/sbin/tcpdump -n -v -s 1500
Yes, ssh is encrypted, but see what you can see. Pay particular attention
to the TTL
Well, perhaps my ssh is configured for access only from my internal
network.
One would hope so. Two things - I don't run ssh on port 22, and I use
port-knocking.
Now two tests I do; (Yeah, the first is a bit not so much netiquette
maybe. But I am a bit parano<EF>d and want to be sure about my home computer)
I run:
#!/bin/bash
[...]
where (zzz==yyy+20) then scanning around my Ip for other results from
nmap. It turns out that all these show nearly the same output (to my
surprise):
That smells strongly of a proxy. I'd be sniffing the wire and looking at
the TTLs. Also, you are flogging the crap out of the Internet, and if you
haven't been shut down locally for abuse, try using nmap to ID the operating
system of "your" home computer. man nmap and look at -sO and -O
I have a hard time believing all these computers around mine ALSO have
virtually no firewall... I can recognize my IAP name through reverse
DNS on each of the above IP. So what ? Could it be that my IAP
provider can "intercept" a scan and "report" spoofed results ? I doubt.
You are posting from Thailand. I don't _know_ that they have proxy servers,
but it's certainly not impossible. Singapore certainly does.
My IP here is aaa.bbb.ccc.ddd. Running.
nmap aaa.bbb.ccc.ddd
also gives tons of output (like 1600 lines showing "open" ) But, then,
I log to http://www.grc.com and ask for a scan of my ports on
aaa.bbb.ccc.ddd here. It says all ports except #2(closed) are stealth.
So what ? There is something from nmap that I don't understand.
Well, grc.com sucks black holes through bucky-tubes, but this is suggesting
that what ever you are actually nmap'ing is one proxy server. Look really
hard at those TTLs, and compare them to what you see if you traceroute to
various destinations.
Old guy
.
- Follow-Ups:
- References:
- Prev by Date: Re: Is my home computer at risk knowing that nmap says...
- Next by Date: Re: Linux Firewall
- Previous by thread: Re: Is my home computer at risk knowing that nmap says...
- Next by thread: Re: Is my home computer at risk knowing that nmap says...
- Index(es):
Relevant Pages
|
